Ultimate Guide to PDPA Compliance

This comprehensive guide can help you avoid significant issues. 

Everything necessary to ensure that you meet compliance standards and protect yourself from hefty administrative fines, possible jail time, or legal actions taken by affected individuals who feel their rights have been violated can be found here.

Contact Us

man sitting on sofa while using laptop

PDPA  Compliance Checklist

Before you begin the Online Assessment from Safecoms, we highly advise you to read through this Guide. You can use it as a reference for any queries relating to the data requested by your application form. 

Once done with each question, feel free to revisit this PDPA Checklist any time and check all elements to make sure your Compliance is robust.

I strongly advise that even if you believe you are already compliant with the PDPA law from an exercise you went through by yourself or with another Consultant, that you carefully review the list and ensure that each step is covered in your existing Compliance program.

By following these steps, your business will be better prepared for compliance with the Personal Data Protection Act and can protect its customers’ data from misuse or exploitation. It is important to remember that failure to comply with the law can result in significant fines and other sanctions so you must take this matter seriously.

Even if you are already PDPA compliant, use our checklist to reassess your position and use our method if you notice any Gaps.

Compliance Checklist

1. Create a Data Protection Policy and Privacy Notice

Develop and publish a clear and comprehensive privacy policy that outlines how you collect, use, store and manage personal data.This should include information about the types of data you collect, how it will be used, who has access to the data, and how you will secure the data. Be sure to review your privacy policy periodically to ensure that it is up-to-date and reflects any changes in the law.

Your Data Controller has the responsibility to define the boundaries of how your company collects, stores and uses the personal data it receives from customers. It should also specify the security measures you have in place to protect customer personal data from unauthorized access or misuse. Make sure to inform customers and employees (your Data Subjects) how you collect, use and store their personal data. This can be done through physical notices or online forms.

2. Identify what personal data you are collecting and why

Knowing exactly what personal information is being collected and for which purpose is essential to identify potential risks associated with its collection. 

Understanding the legal and ethical implications of using personal data should also be carefully considered. Furthermore, it is important to assess how this data will be used, stored and disposed of, to ensure data privacy and security.

3. Restrict access to personal data

It would be best if you, the Data Controller, designated people who are authorised to access the personal data you have collected (Data Processors) and set up a system for granting and revoking this access. 

Establish protocols for who can access personal customer information and how they can do so. Limit access to only those with a need-to-know basis and be sure to document any changes made in order to keep track of who is accessing what information at any given time.

Ensure that the personal data collected is accurate, complete and up-to-date in order to provide reliable information. Out of date or inaccurate personal data can lead to incorrect decisions and may impact the quality of services offered.

4. Implement security measures

Security tools, such as firewalls, encryption and two-factor authentication, help protect your customers’ data against unauthorised access. Utilise these tools as appropriate for your business and make sure you comply with any applicable regulations regarding data privacy.

In order to protect customer data from being lost, it’s essential to have a reliable backup system in place.

5. Ensure compliance with the law

Make sure you are abiding by all applicable data protection laws related to personal data, such as the Personal Data Protection Act (PDPA). This may include obtaining consent when collecting or using personal data, implementing security measures to prevent unauthorized access and misuse of personal data. 

It will also require providing notifications about the collection, use and disclosure of personal data. Additionally, be sure to stay up-to-date with any changes that may occur in the law regarding data protection. Consider subscribing to Safecoms' PDPA Newsletter.

6. Monitor and audit employee access to personal data

Closely monitor how employees handle the personal data they have access to and regularly audit their activities to ensure proper use and security of such personal data. 

Make sure you have the right policies and procedures in place to ensure that employees understand their responsibilities when it comes to handling personal data, especially sensitive personal data. 

Additionally, consider implementing access control measures such as two-factor authentication to limit and monitor access to such sensitive data.

7. Train your staff on PDPA

It is important for everyone handling customer or client information to understand their responsibilities when it comes to protecting sensitive information. 

All your employees should be trained on proper data handling and protection practices, such as securely transferring data from one system to another, encrypting all transmitted information, and understanding what constitutes a breach of customer privacy.

8. Educate customers about their rights under PDPA

As part of your company’s commitment to transparency and accountability, make sure customers are aware of their rights under the PDPA. This could include informing customers of their right to access or correct the personal data your company holds about them and assisting them in the process.

9. Respond to data breach notifications

If there is a data breach, it is important to notify those affected and take appropriate steps to remedy the situation in accordance with the PDPA. Depending on the nature and severity of the breach, this may include notifying authorities, informing affected individuals, communicating with the media, implementing additional security measures.

10. Develop an incident response procedure

In order to quickly identify and address any potential data breaches, you should have a well-defined procedure for responding to incidents involving customer information. This procedure should include steps for identifying, responding to, and documenting any incidents involving the unauthorized access, altering or use of personal data. 

It should also include policies and procedures for encrypting, handling and securely disposing of any personal data obtained. Additionally, it should identify who is responsible for each step in the process.

11. Have a procedure in place for deleting or transferring personal data upon customers’ requests

Customers should be able to request that you delete or transfer their personal data if they so choose, so make sure your company has a clear process in place for fulfilling such requests. 

This process should include verifying the customer’s identity, securely deleting or transferring the data, and notifying them when the process is complete.

You need to maintain a registry of requests and the action that you followed.

12. Make sure all third-party service providers comply with the PDPA

It's of utmost importance to ensure that any third-party vendors you employ, who access customer information, are compliant with the PDPA. You need to take additional steps to verify their compliance as they act as your Data Processor and must obey the mandates set by the Data Controller. 

It is imperative for them to be instructed with a legally binding agreement such as a Data Processing Agreement in order for them to adhere appropriately with this data protection law.

Always First.

Be the first to find out all the latest news, products, and trends.

Here are your 6 Steps to Compliance

1. Create your Compliance Team

Build a team within your organization that is committed to the protection of the privacy of Data Subjects. Specify the official roles (Data Controller, Data Protection Officer, and Data Processor) as well as those who will aid you (Security advisor, etc.). Allocate their respective responsibilities for maximum efficiency.

2. Analyse your Company

Carefully examine your company for areas where Personal Data is being processed or stored, and specify who will be responsible for each area. Furthermore, this same procedure should be repeated to ascertain the third-party entities that have access to the confidential data under the control of the Data Processor.

3. Data Collection and Storage

Define the type of Data you are handling, classified into normal Data or Sensitive Data. Understand the legal basis for the collection. Minimize data processing, and explore ways to exclude non-critical data. Analyze your entire company as well as all third-party suppliers.

4. Risk Management

Consider the amount of personal data you are exposed to and your degree of processing, either systematic or sporadic. Analyze potential risks in case of a possible data breach. Ensure that you are ready to answer any queries by Data Subjects or Regulators accordingly. Additionally, stay vigilant with all modifications to your data protection regulations and every communication conducted with those who provide their personal data.

5. Compliance for Data Protection

To stay Informed on any changes in the law, keep evaluating Sensitive Personal Data and how to protect it, train employees on data processing and security measures, perform a comprehensive analysis of compliance initiatives to avoid violations and obtain explicit consent from individuals before collecting Sensitive Personal Data. These steps are essential for the data processor to comply with the PDPA regulations.

6. A Checklist review to close the last GAPS

Once you have completed all the necessary steps for compliance, it is important to verify with a checklist that nothing has been left out. If gaps are found in the process, they should be addressed immediately. iCompli can help you ensure that everything is kept on track so that no detail is overlooked. Use our Checklist and make sure that your compliance management system is up to date.

Why our Self-Assessment Guide for PDPA Compliance?

This guide is a great resource to help businesses better understand and comply with PDPA in Thailand. By using this online self-assessment, we can quickly identify any risks associated with processing personal data, as well as gain insight into the practices used by other organizations for improving security. This assessment tool can help organizations become better equipped to handle any potential data protection threats and ensure that their customer's data is safe and secure. With this in mind, businesses will be well on their way to meeting the Personal Data Protection Act regulations in Thailand.

Paul Ashburn, Co-Managing Partner, HLB - Thailand

The PDPA online self-assessment guide is created to provide data protection quickly to comply with the Personal Data Protection Act (PDPA) in Thailand. 

The guide covers all aspects of PDPA compliance. It offers practical advice on processes, examples of privacy policies, privacy notices, data processing agreements, and definitions of roles for compliance. 

Companies can use this self-assessment tool to assess their existing data protection processes and procedures and identify areas where changes need to be made to meet the requirements of PDPA on securing personal data and the privacy of Data Subjects.

The guide also helps familiarize users with the work environment, workspace, and people affected by any potential data processing activities.

The PDPA online self-assessment guide not only assists data controllers and companies in meeting the Personal Data Protection Act guidelines but also helps demonstrate to potential partners and customers your commitment towards protecting consumer data.

 By following the regulations of the PDPA, organizations can gain a comprehensive overview of their operations and recognize any existing risks involved with collecting or using personal information. 

With this tool, businesses prove to others that they take data privacy seriously and safeguard confidential details responsibly.

This includes information about the types of data, who to contact if there is a breach, and how to handle customer data securely.

By using this online self-assessment guide, businesses can ensure that their practices are secure and compliant with PDPA regulations. The tool provides an immediate analysis of risk areas related to processing personal data and evaluates any organization’s existing data protection processes and procedures.

This guide provides a comprehensive view of how to comply with the Personal Data Protection Act in Thailand, enabling businesses to be better equipped to handle any potential threats, as well as gain insight into the practices used by other organizations for improving security and compliance. It is an invaluable resource for companies that want to ensure they are meeting their obligations and protecting the data of their customers.

SafeComs offers security audits and training for IT safety and Data Protection Act awareness.

Guide to Personal Data Protection Act for Consultants

Start to Leverage this Self-Assessment

To ensure the success of your data protection project, we recommend that you familiarise yourself with the work processes and staff responsibilities. Additionally, identify and classify any personal data being processed into normal or sensitive personal data. 

Be aware that biometric data used in factories to track presence is classified as sensitive biometric data. Assess potential risks in case of a data breach and consider if a Data Protection Impact Assessment is necessary. 

Maximize your potential

Review your existing protocols and update them to comply with the PDPA regulations. Finally, use our self-assessment questionnaire to evaluate your privacy policy's compliance status for personal data. 

Our team of experienced consultants can bridge any identified gaps in this compliance, offering services such as security audits, data classification, protocol validation and IT security awareness training to ensure the success of your Data Protection project!

woman sitting at table

1. Create your Compliance Team

To start this project, a Data Privacy Committee must be formed, and when required or suggested, someone must be appointed as the Data Protection Officer (DPO). Furthermore, a Data Collector should be assigned to create the rules for conforming with PDPA. To make sure all necessary resources are available in the future, enlisting internal and external legal help would prove beneficial; additionally, every division manager will need to offer their support when requested. Finally, commitment from everyone who wishes to contribute must also be obtained.

  • Ensure maximum support from Top Management to guarantee success.
  • Assemble your Data Privacy Committee to safeguard critical information.
  • Make sure you have one dedicated contact for all inquiries and data relating to your project.
  • Identify who is responsible for providing your company with legal assistance.
  • Will you be the one driving this project?
  • Who is ultimately responsible for your data?
  • Do you have a Data Protection Officer (DPO)? This important person oversees and implements data protection measures that ensure compliance with privacy regulations.

Each team member will have different roles and responsibilities. However, everyone should be involved in understanding the implications of data privacy regulations, as well as implementing policies that ensure compliance with PDPA.

woman placing sticky notes on wall

2. Analyse your Company

It is of the utmost importance that you are aware of your company's description, main activities as well as its organization chart. Furthermore, it is imperative to recognize all areas where Personal Data could be collected or processed by your firm. Not only do you have responsibility for data processing conducted within your company walls but also any external processes operated by third-party contractors fall under this same umbrella of accountability. Ensure that you have a full understanding of who is handling Personal Data.

Create a detailed visual representation of your organization's structure

Spend time analyzing the branch offices, responsibilities and location of each department where personal data processing exists. Additionally, you need to recognize any 3rd parties taking part in your company's operations. Does a comprehensive security policy exist that guarantees PDPA compliance? What level of security does every department possess? How secure are the 3rd parties working for your organization? Are there awareness programs to educate employees about their duties under regulations such as PDPA and other relevant laws? Furthermore, what type of training do your personnel need before commencing work with confidential information or resources related to privacy protection measures within the firm framework.

electronic wire lot

3. Data Collection and Storage

To begin, you must discover and document every instance of personal data that is collected by your offices or departments, as well as any third-party contractors. To ensure you fully understand the flow of all information, a Data Map should be created detailing what has been gathered and how it needs to be handled with its corresponding level of sensitivity.

Once data has been gathered or processed, it is integral to discern where the information will be stored. You must assess and guarantee that any security measures employed are appropriate for the nature of said information throughout your organization and with all external entities you interact with.

For your company

Identify the physical or logical positions of each data silo, and determine what operations are occurring in the collection area. Duplicate all forms used for collecting data from every department. Ascertain which personal information is being gathered, classifying it as either normal or sensitive according to its sensitivity level. Confirm that the selection process is legal and fair for those whose details are obtained; if not, remove any fields with potentially delicate material which isn't essential.

For your data Repository

Is data security a top priority? For normal or sensitive information, do you have a Record of Processing Activities (RoPA) and Privacy Notice for each collection in place? If not, consider uploading these documents to better protect your data.

For each 3rd party

Identify the physical or logical location of each data silo and analyze what processing is taking place in its Collection area. Collect a copy of all forms used to gather personal data from every department, categorizing it as either normal or sensitive information. Ascertain if collecting this data is legally compliant, fair for the data subject and actually necessary; remove any fields that are gathering overly sensitive info which isn't critical for your purpose.

For your data Repository

What measures do you have in place to protect both normal and sensitive data? Do you have a Records of Processing Activity (RoPA) for each collection as required under the PDPA regulations? Additionally, is there a Privacy Notice available that Data Subjects can view regarding each individual collection on your website or service?

Privacy policies and Notices for Data Subjects

It is of the utmost importance that you create privacy notices and policies tailored to your customers, employees, and other stakeholders. Detailing what personal information is being collected, how it will be utilized, who has access to this data as well as how it can be safeguarded should all be included in a clear manner so that everyone involved understands your policy. If you don't have any internal documents already set up for guidance purposes then our templates are available at your convenience!

To ensure your privacy, every data collection point should contain a clear Privacy Notice that outlines the policy for both privacy and retention. Furthermore, as detailed in the annexes, each should include a Record of Processing Activities (RoPA).

turned on monitoring screen

4. Risk Management

Compliance is a key component of success.

Risk Management is an essential part of adhering to the privacy act. To ensure data security, you must employ the highest security measures for sensitive information and then lower them according to the risk posed by each individual whose data is being processed. To gain insight into how exposed your company is, it's advised that you undergo a Risk or Impact Assessment which will help determine what kind of damage could be inflicted on people if their personal information were ever compromised.

As you collect each form that captures personal data, ask yourself the following questions to analyze whether your business is legally obligated to complete a RoPA and an Impact Assessment.

  • Do you process data systematically or only on occasion?
  • Do you process personal data on a large scale or a small scale?
  • Do you merge data that could increase personal identification?
  • Do you share data with other companies?
  • Do you export sensitive personal data to other countries?
  • Do you use Cloud-based storage in your infrastructure?
  • Do you use cloud-based email?

An Action Plan for Responding to Data Requests

Establish a registry for all of your data subject requests, including how you verify the identity and legitimacy of the requester. Make sure to document any changes or updates to keep your records organized and up-to-date. Additionally, create an efficient process for handling requests regarding the deletion of data as well as appeals from Data Subjects who believe their rights have been violated.

Strengthen your defences by constructing an Incident Response Plan today!

It is critical to recognize the difference between an incident and a security breach, as well as when each must be reported. Furthermore, you should know precisely what data needs to be relayed, and who it has to be sent through for your organization or company's internal processes. Lastly, when can you consider incidents internally only?

Uncovering and Presenting Data

After completing the self-assessment, our guide offers a thorough audit and risk assessment to verify that your business adheres to PDPA. Our goal is to pinpoint any gaps in processes and data protection practices so they can be quickly rectified. This self-assessment software provides businesses with an exhaustive way of ensuring their compliance with PDPA, as well as the means for reporting back if ever checked by the regulators.

woman placing sticky notes on wall

5. Compliance for Data Protection

Compliance is an ongoing journey, not a one-time mission. To ensure you remain at the highest level of compliance and avoid any security risks, it's necessary to continually analyze your current state of compliance, anticipate changing circumstances in advance, and stay up-to-date with law modifications from regulators. Here are several tactics we advise undertaking for long lasting adherence that allows you to rest easy knowing your data remains safe.

regular actions

To ensure the utmost security of sensitive data, it is essential to conduct an annual audit of your security posture. Monitor legislation and measure the efficacy of your cybersecurity plan in order to review its effectiveness regularly. For added assurance, onboarding staff should be provided training upon their first hire while all employees are required to receive new training annually as a necessity.

person holding white printer paper

6. A Checklist review to close the GAPS

As the PDPA law advances, our team ensures that we are up to date with all developments by attending information sessions held by Government Organizations and thoroughly studying all official publications. Our objective during these meetings is twofold: not only do we wish for businesses to experience a more straightforward regulatory environment, so they don't have to spend too much energy or resources on adhering to compliance standards; but we also want to adapt our templates and software to help them find their exercise easier and less time-consuming using our methods.

even though businesses have taken data protection seriously, the introduction of the PDPA has raised the bar even higher for data controllers. We are pleased to observe that Safecoms is taking the challenge of data protection under the Personal Data Protection Act (PDPA) with great seriousness, and has developed tools to help businesses comply at an affordable cost..

Michael Svenningsen • Co-Founder & Managing Director at EGN Thailand 

Personal Data Protection Committee

The Personal Data Protection Committee is a unique administrative body created to ensure the proper protection of personal data. This independent organization comprises experts in data protection, law, information security and other related areas. 

The principal goal of the committee is to monitor regulations and laws concerning aggregation, usage, disclosure and memory. It serves as a "Supervisory Authority", where the primary responsibility is ensuring that data protection legislation is implemented correctly. The committee has significant authority to Enforce application of the law, Investigate complaints from Data Subjects, Advise and Monitor the developments, and promote awareness of the data Controller and Data Processor.

The Personal Data Protection Committee is devoted to guaranteeing the highest level of protection for all personal data, upholding existing laws and safeguarding data subjects. 

In addition to offering insights into the most effective practices for businesses managing personal data, this organization spearheads strategies and action plans that strive to raise data protection standards across all industries.

By having a strong, independent body such as the Personal Data Protection Committee, organizations can ensure their individuals’ rights are respected and protected against misuse or unauthorized access to personal data.

As a conclusion

We believe that through regular monitoring and training, your business will meet its goals and continue to uphold full compliance status with PDPA. Furthermore, our team can provide custom-tailored solutions to meet any specific needs that you may have. Ultimately, we want to ensure that your business is well-equipped with the knowledge and resources necessary for data protection compliance.

We appreciate you investing in your success by taking the time to go through this guide. We wish you all the best as you continue on your journey towards compliance!